Review My Emails
12 steps to stay out of the spam folder (and stay there)
Gmail and Yahoo started enforcing stricter sender rules in February 2024. That was over two years ago. If you haven't checked your compliance since then, you're likely already being penalized. The error messages won't tell you that's why.
These rules aren't suggestions. Fail them and your emails get silently routed to spam, throttled, or rejected outright. The worst part: you'll think it's a content problem when it's actually a plumbing problem.
You're a bulk sender if any single domain you own has sent (or will ever send) 5,000+ messages within a 24-hour window to Gmail, Yahoo, or Microsoft (Outlook, Hotmail, Live) addresses. This is measured at the domain level. Not per inbox, not per subdomain, not per campaign. It's your total volume across the whole domain in any given day.
That means if you sent one big launch campaign last year that pushed you over 5,000 to Gmail addresses for one day, you're a bulk sender. You don't have to be sending 5,000 a day every day. You only have to have crossed it once. The classification stays with the domain, even if you only send 200/day going forward.
You still need steps 1-5 even if your domain has never crossed 5,000. The authentication requirements apply to every sender. The stricter rules (one-click unsubscribe, spam rate caps, complaint monitoring) are what kick in at bulk-sender classification.
This checklist maps each requirement to something you can check in the next 30 minutes. Not theory. Actions.
Enter your email and domain. We'll check SPF, DMARC, DNS, and more in seconds. Your results are saved so you can come back.
Most businesses don't send email from just one domain. You run Steps 1-12 for each domain and subdomain that sends email. Before you start checking boxes, make a list.
What to do: Write down every domain and subdomain your organization uses for email. Including the ones you forgot about.
Common ones people forget:
Why non-sending domains matter: If you own examplebrand.com but never send email from it, you still need a DMARC record. Otherwise anyone can spoof it. Publishing v=DMARC1; p=reject on domains you don't use for email tells mailbox providers "reject everything claiming to be from this domain." That's free protection.
sp= (subdomain policy) in the parent record. SPF and DKIM records are never inherited. Each subdomain needs its own.What to do: Add a TXT record at your domain that lists every server allowed to send email on your behalf.
How to check: SPF Checker. Enter your domain. You should see a valid record that includes your ESP.
What to do: Count the DNS lookups in your SPF record. Every include:, a:, mx:, and redirect= counts as one lookup. You get 10 total. Go over and your entire SPF record fails silently.
How to check: SPF Checker shows your lookup count.
include:spf.esp.com and that record itself has 4 include: statements inside it, all 5 count toward your 10. Re-check the count every time you add a sending service.What to do: Configure your sending service to sign outgoing emails with DKIM. This adds a cryptographic signature to every message that proves it wasn't tampered with in transit.
How to check: DKIM Checker. You'll need your domain and the DKIM selector (your ESP provides this).
d= value in the DKIM signature matches your domain.What to do: Add a TXT record at _dmarc.yourdomain.com with at minimum: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
How to check: DMARC Parser. Enter your domain.
p=none with a working rua= parser is a legitimate starting point. p=none with no rua= (or a rua= going to an unmonitored inbox) is decorative DNS.p=none and forgetting about it is the most common mistake. Gmail and Yahoo require DMARC to exist, but p=none only monitors. It doesn't protect you from spoofing.What to do: Either SPF or DKIM (or both) must not only pass but also align with your From: domain.
How to check: Send yourself a test email, then run the headers through Email Header Analyzer. Look for dmarc=pass.
What to do: Your sending IPs need valid forward DNS (A record) and reverse DNS (PTR record), and they need to match each other.
How to check: MX Lookup for your domain to find sending IPs, then verify PTR records.
What to do: All marketing emails must include RFC 8058 one-click unsubscribe headers: List-Unsubscribe (HTTPS URL) and List-Unsubscribe-Post: List-Unsubscribe=One-Click.
How to check: Send yourself a test marketing email. View full headers. Both headers must be present.
List-Unsubscribe-Post header.What to do: Treat 0.10% as your operational target. 0.30% is the cliff.
How to check:
What to do: Your From: address must be on a domain you control, not gmail.com, yahoo.com, or any free provider.
mybusiness@gmail.com. You need your own domain.What to do: Emails must follow RFC 5322. No header manipulation, no deceptive From: addresses, no malformed headers.
How to check: Email Header Analyzer.
What to do: Use separate subdomains or IPs for transactional email and marketing email.
What to do: p=none was always a starting line. Real DMARC means p=quarantine or p=reject.
p=reject too fast will block legitimate emails you forgot about. The safe path: p=none (monitor 2-4 weeks), then p=quarantine with pct=10, then gradually increase.12/12
You're fully compliant. Now maintain it. Re-check quarterly, especially after adding new sending services.
9-11
Almost there. The gaps are probably Step 2 (SPF lookups), Step 8 (not monitoring spam rate), or Step 12 (still at p=none).
5-8
You have the basics but you're exposed. Gmail and Yahoo are probably already throttling some of your mail.
Under 5
You're likely seeing deliverability problems. Start with Steps 1, 3, and 4. Authentication first, everything else follows.
| Requirement | Your ESP usually handles | You must configure yourself |
|---|---|---|
| SPF | They provide the include: value | You add it to your DNS TXT record |
| DKIM | They generate the key pair | You publish the DNS record |
| DMARC | Nothing | You create and publish the entire record |
| One-click unsubscribe | Header generation + POST handling | Verify it's turned on |
| Spam rate monitoring | Some in-app complaint metrics | Set up Postmaster Tools, Yahoo CFL, SNDS/JMRP |
| Reverse DNS | Yes, for shared IPs | Only if you use a dedicated IP |
| Stream separation | Some offer subdomain routing | You decide the architecture + set up DNS |
| Date | What happened |
|---|---|
| Feb 2024 | Gmail and Yahoo begin enforcing authentication for all senders |
| Apr 2024 | Gmail starts rejecting non-compliant bulk mail |
| Jun 2024 | One-click unsubscribe enforcement for 5,000+ senders |
| Sep 2024 | Enforcement fully active |
| Apr 2025 | Microsoft announces identical requirements |
| May 2025 | Microsoft begins enforcement |
| 2025+ | Industry-wide adoption. The baseline expectation. |
Email sos@reviewmyemails.com and we'll respond within 24 hours. Include your domain and the step you're working through.
Email SOS team